EP2704063A1 - Detection arrangement - Google Patents

Detection arrangement Download PDF

Info

Publication number
EP2704063A1
EP2704063A1 EP12182221.7A EP12182221A EP2704063A1 EP 2704063 A1 EP2704063 A1 EP 2704063A1 EP 12182221 A EP12182221 A EP 12182221A EP 2704063 A1 EP2704063 A1 EP 2704063A1
Authority
EP
European Patent Office
Prior art keywords
signal
semiconductor device
detection arrangement
driver
signals
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP12182221.7A
Other languages
German (de)
French (fr)
Other versions
EP2704063B1 (en
Inventor
Soenke Ostertun
Joachim Christoph Hans Garbe
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NXP BV
Original Assignee
NXP BV
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NXP BV filed Critical NXP BV
Priority to EP12182221.7A priority Critical patent/EP2704063B1/en
Priority to CN201310302715.8A priority patent/CN103679010B/en
Priority to US14/010,145 priority patent/US9471792B2/en
Publication of EP2704063A1 publication Critical patent/EP2704063A1/en
Application granted granted Critical
Publication of EP2704063B1 publication Critical patent/EP2704063B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06KGRAPHICAL DATA READING; PRESENTATION OF DATA; RECORD CARRIERS; HANDLING RECORD CARRIERS
    • G06K19/00Record carriers for use with machines and with at least a part designed to carry digital markings
    • G06K19/06Record carriers for use with machines and with at least a part designed to carry digital markings characterised by the kind of the digital marking, e.g. shape, nature, code
    • G06K19/067Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components
    • G06K19/07Record carriers with conductive marks, printed circuits or semiconductor circuit elements, e.g. credit or identity cards also with resonating or responding marks without active components with integrated circuit chips
    • G06K19/073Special arrangements for circuits, e.g. for protecting identification code in memory
    • G06K19/07309Means for preventing undesired reading or writing from or onto record carriers
    • G06K19/07372Means for preventing undesired reading or writing from or onto record carriers by detecting tampering with the circuit

Definitions

  • the invention relates to a detection arrangement for detecting an attack to internal signals in a semiconductor device.
  • the invention relates to a driving unit comprising the detection arrangement.
  • the invention relates to a semiconductor device comprising the driving unit.
  • the invention relates to a method of for detecting an attack to internal signals in a semiconductor device.
  • the invention relates to a computer-readable medium and a program element.
  • Security chips may use several sensors to detect such attack attempts, e.g. checking environmental conditions (like supply voltage, temperature, and light exposure). With the availability of high sophisticated equipment timely resolved probing of single wires of a chip becomes more and more a realistic attack scenario. Also, forcing internal signals at certain time points becomes possible. Some signals are of higher or special interest as they might give access to the most secret information. These are e.g. data busses and wires connected to the latches storing the secret keys. As global sensors are not able to detect such local attacks, these signals need a dedicated protection.
  • environmental conditions like supply voltage, temperature, and light exposure
  • a detection arrangement for detecting an attack to internal signals in a semiconductor device, the detection arrangement comprising a first input terminal, a second input terminal, and a comparison unit.
  • the first input terminal is adapted to receive a first signal being indicative for a signal at a first stage of a driver of the semiconductor device, the driver being capable to drive signals (e.g. of data busses) internally to the semiconductor device.
  • the second input terminal is adapted to receive a second signal being indicative for a signal at a second stage of the driver of the semiconductor device.
  • the comparison unit is adapted to compare the first signal and the second signal and to determine a time period during which the signals are equal, wherein the determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold.
  • a driving unit for driving signals of data busses internally to a semiconductor device.
  • the driving unit comprises a driver having a first stage corresponding to an internal node between a first inverting unit of the driver and a second inverting unit of the driver and a second stage corresponding to an output node of the driver, and a detection arrangement having the above mentioned features, wherein the first stage and the second stage are connected to the detection arrangement.
  • a semiconductor device comprising a driving unit having the above mentioned features, wherein the driving is capable to drive signals being associated with data busses and wires connected to latches of the semiconductor device.
  • a semiconductor device comprises the detection arrangement having the above mentioned features.
  • a method of detecting an attack to internal signals in a semiconductor device comprises receiving, by a first input terminal of a detection arrangement, a first signal being indicative for a signal at a first stage of a driver of the semiconductor device, the driver being capable to drive signals (e.g. of data busses) internally to the semiconductor device, receiving, by a second input terminal of the detection arrangement, a second signal being indicative for a signal at a second stage of the driver of the semiconductor device, comparing, by a comparison unit, the first signal and the second signal and determining a time period during which the signals are equal, wherein the determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold.
  • a computer-readable medium in which a computer program of detecting an attack to internal signals in a semiconductor device is stored, which computer program, when being executed by a processor, is adapted to carry out or control a method having the above mentioned features.
  • a program element for instance a software routine, in source code or in executable code
  • a program element when being executed by a processor, is adapted to carry out or control a method having the above mentioned features.
  • Detecting an attack to internal signals in a semiconductor device can be realized by a computer program that is by software, or by using one or more special electronic optimization circuits, that is in hardware, or in hybrid form, that is by means of software components and hardware components.
  • Sensing attacks are all trials to get the secret information from a chip (semiconductor device) by measuring certain signals from the chip like current consumption, electromagnetic emission, or voltage probing of signal lines. Forcing attacks try to change the operation conditions and draw conclusions from the resulting behavior of the chip.
  • Signals of data busses are usually driven by logic drivers, in particular simple or tristate CMOS logic drivers. Such drivers are designed for a well-defined maximum capacitive output load. Probing of the signal status can be done by high resistive voltage measurement, but such a measurement will increase the load capacitance of the driver connected to the probed signal.
  • the present invention is based on the idea to detect probing and forcing attempts and, in a further embodiment, to generate an internal alarm if such an attack is detected.
  • the detection arrangement or detection sensor is able to check the connected capacity and the actual voltage level of signals.
  • This invention describes an arrangement and method to detect such an additional capacitive load. In addition it is also able to detect externally forced signals, also called over-ruling of signals.
  • This detection may be performed by comparing two signals at different stages of the driver. Without any attack (e.g. probing), the two signals have the same value only for a maximum predefined period of time. When there is an attack, the load capacitance of the driver will be increased, which corresponds to a longer period in which the two signals have the same value. Thus, by comparing the signals, an increased capacity may be easily detected and thus also a potential attack may be detected.
  • the comparison unit may comprise a first comparator for receiving and comparing the first and the second signal and a second comparator for receiving and comparing the first and the second signal.
  • the comparators may be logic gates.
  • the first comparator may be a 2-input NOR gate and the second comparator may be a 2-input AND gate.
  • the first comparator may be adapted to indicate by a first equality signal when the first signal and the second signal are at a first logic value (for instance 0), and wherein the second comparator may be adapted to indicate by a second equality signal when the first signal and the second signal are at a second logic value different to the first logic value (for instance 1).
  • Each comparator may output an equality signal, which depends on the input signals, i.e., the signals at the first stage and the second stage.
  • each comparator indicates one specific logic value of the first and the second signal, for instance by an output value of logic 1, the output of both comparators (the first comparator for the logic 1 and the second for the logic 0 or vice versa) may be easily used for detecting how long the first and the second signal have the same value, i.e. are both logic 1 or both logic 0. If the first and the second signal are unequal, the output of both comparators may be logic 0.
  • the equality signals i.e. the output of the comparators
  • the duration of this logic 1 value may be determined and compared with the predefined threshold.
  • both comparators may indicate a potential attack.
  • the comparison unit may further comprise a third comparator for receiving and combining the first and the second equality signal.
  • the third comparator may combine the both equality signals to one common output. Thus, a potential attack may be indicated by one single signal.
  • An output of the third comparator may correspond to an alarm signal for raising an alarm in case of a potential attack.
  • the output of the third comparator may be used as alarm signal.
  • the third comparator is an OR gate
  • an output signal having a logic 1 indicates a potential attack.
  • other kind of comparators may be used.
  • the output of the first comparator may be coupled via a first capacitor to a common line and the output of the second comparator is coupled via a second capacitor to the same common line.
  • the equality signals should be ignored if their duration is shorter than the predefined threshold. This can be done by adding (small) capacitors to the outputs of the first and the second comparator and making the outputs asymmetrically, for instance weak p-MOS and relatively strong n-MOS. Using two separate capacitors may allow tuning of the response time of the comparators versus the threshold time for raising and falling edges at the input of the driver separately.
  • the common line may be for instance ground or a common supply line like VCC or VDD.
  • the detection arrangement may further comprise a combining unit being adapted to combine the first and the second equality signal.
  • Another possible implementation would be to combine the two equality signals to one single signal. This single signal may be used as an alarm signal.
  • the detection arrangement may further comprise a filtering unit being adapted to receive the output of the combining unit and to filter short pulses from the received signal.
  • short pulses of the equality signals may be filtered so that they will not be considered for the detection of an attack. Short pulses may typically occur due to switching or the like.
  • the driver may be capable to drive signals being associated with data busses and wires connected to latches of the semiconductor device.
  • the latches may be adapted to store secret information.
  • latches of the semiconductor device may store secret information like keys.
  • the driver being associated with these latches, or with data busses or wires being connected with the latches, should be protected against attacks or at least it should be possible to detect such attacks and to raise an alarm as described by embodiments of the present invention.
  • Fig. 2A illustrates a standard signal buffer 200.
  • the input signal 104 is inverted twice.
  • a weak inverter 101 which is built (as an example) out of a p-channel MOS transistor 201 and an n-channel MOS transistor 202 is used to drive the input of a strong inverter 102, also built up of two transistors 203 and 204.
  • the strong inverter is able to charge a maximum specified load capacitance 205 in a certain time.
  • Fig. 2B schematically shows the time dependence of the involved signals.
  • a detection arrangement 103 within a driving unit 100 can be used as described in Fig. 1 .
  • the detection arrangement 103 comprises a first input terminal which is adapted to receive a first signal being indicative for a signal 105 (A ⁇ ) at a first stage of the driver (inverting units 101 and 102) of a semiconductor device.
  • the detection arrangement further comprises a second input terminal being adapted to receive a second signal being indicative for a signal 106 (Z) at a second stage of the driver of the semiconductor device.
  • the detection arrangement further comprises comparison unit being adapted to compare the first signal and the second signal and to determine a time period during which the signals are equal. The determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold.
  • An output signal 107 of the detection arrangement can be used as an alarm signal.
  • An additional advantage of the detection arrangement may be that it may also sense over-ruling attacks, where the output "Z" of the driver is forced to its inverted logic value. In this case “A ⁇ ” (105) and the output signal “Z” (106) are even longer at same logical value and the failure output "F" (404) may raise an alarm.
  • the circuit can be layouted in a way that it looks very similar as normal logic gates.
  • the only analog-like part of the schematic is to filter the normal short-time peaks, i.e. the capacitors 401, 402 and weak p-channel MOS transistors in the NOR and AND gates 301, 302.
  • the capacitors can be layouted like normal transistors, a weak p-channel transistor can be realized by a chain of normally sized transistors. This way the layout cannot be recognized as a special security circuit in the logic area of the chip by optical inspection.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Semiconductor Integrated Circuits (AREA)
  • Electronic Switches (AREA)

Abstract

There is provided a detection arrangement for detecting an attack to internal signals in a semiconductor device. The detection arrangement comprises a first input terminal, a second input terminal, and a comparison unit. The first input terminal is adapted to receive a first signal being indicative for a signal at a first stage of a driver of the semiconductor device, the driver being capable to drive signals internally to the semiconductor device. The second input terminal is adapted to receive a second signal being indicative for a signal at a second stage of the driver of the semiconductor device. The comparison unit is adapted to compare the first signal and the second signal and to determine a time period during which the signals are equal, wherein the determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold.

Description

    FIELD OF THE INVENTION
  • The invention relates to a detection arrangement for detecting an attack to internal signals in a semiconductor device.
  • Furthermore, the invention relates to a driving unit comprising the detection arrangement.
  • Beyond this, the invention relates to a semiconductor device comprising the driving unit.
  • Moreover, the invention relates to a method of for detecting an attack to internal signals in a semiconductor device.
  • Further, the invention relates to a computer-readable medium and a program element.
    • BACKGROUND OF THE INVENTION
  • Many semiconductor products contain important data which have to be kept secret, like codes for encryption or identification. Examples are chips in banking cards, for ticketing or pay TV applications. Chips which are used in such fields might need to be security certified to prove a certain security standard. Sufficient resistance against all kinds of attacks which aim at retrieval of codes or against uncontrolled change of functionality has to be implemented. Possible attack scenarios can be grouped in sensing attacks and forcing attacks. Sensing attacks are all trials to get the secret information from the chip by measuring certain signals from the chip like current consumption, electromagnetic emission, or voltage probing of signal lines. Forcing attacks try to change the operation conditions and draw conclusions from the resulting behavior of the chip.
  • Security chips may use several sensors to detect such attack attempts, e.g. checking environmental conditions (like supply voltage, temperature, and light exposure). With the availability of high sophisticated equipment timely resolved probing of single wires of a chip becomes more and more a realistic attack scenario. Also, forcing internal signals at certain time points becomes possible. Some signals are of higher or special interest as they might give access to the most secret information. These are e.g. data busses and wires connected to the latches storing the secret keys. As global sensors are not able to detect such local attacks, these signals need a dedicated protection.
  • Thus, there may be a need for an improved detection arrangement being capable to detect such local attacks for providing a protection for such signals.
    • OBJECT AND SUMMARY OF THE INVENTION
  • It is an object of the invention to provide a detection arrangement and a method for detecting an attack to internal signals in a semiconductor device in order to protect secure information in the semiconductor device.
  • In order to achieve the object defined above, a detection arrangement, a driving unit, a semiconductor device, a detecting method, a computer-readable medium and a program element according to the independent claims are provided.
  • According to an exemplary embodiment of the invention, there is provided a detection arrangement for detecting an attack to internal signals in a semiconductor device, the detection arrangement comprising a first input terminal, a second input terminal, and a comparison unit. The first input terminal is adapted to receive a first signal being indicative for a signal at a first stage of a driver of the semiconductor device, the driver being capable to drive signals (e.g. of data busses) internally to the semiconductor device. The second input terminal is adapted to receive a second signal being indicative for a signal at a second stage of the driver of the semiconductor device. The comparison unit is adapted to compare the first signal and the second signal and to determine a time period during which the signals are equal, wherein the determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold.
  • According to a further exemplary embodiment, there is provided a driving unit for driving signals of data busses internally to a semiconductor device. The driving unit comprises a driver having a first stage corresponding to an internal node between a first inverting unit of the driver and a second inverting unit of the driver and a second stage corresponding to an output node of the driver, and a detection arrangement having the above mentioned features, wherein the first stage and the second stage are connected to the detection arrangement.
  • According to a further exemplary embodiment, there is provided a semiconductor device. The semiconductor device comprises a driving unit having the above mentioned features, wherein the driving is capable to drive signals being associated with data busses and wires connected to latches of the semiconductor device.
  • According to a further exemplary embodiment, there is provided a semiconductor device. The semiconductor device comprises the detection arrangement having the above mentioned features.
  • According to a further exemplary embodiment, there is provided a method of detecting an attack to internal signals in a semiconductor device. The method comprises receiving, by a first input terminal of a detection arrangement, a first signal being indicative for a signal at a first stage of a driver of the semiconductor device, the driver being capable to drive signals (e.g. of data busses) internally to the semiconductor device, receiving, by a second input terminal of the detection arrangement, a second signal being indicative for a signal at a second stage of the driver of the semiconductor device, comparing, by a comparison unit, the first signal and the second signal and determining a time period during which the signals are equal, wherein the determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold.
  • According to a further exemplary embodiment, a computer-readable medium is provided, in which a computer program of detecting an attack to internal signals in a semiconductor device is stored, which computer program, when being executed by a processor, is adapted to carry out or control a method having the above mentioned features.
  • According to still another exemplary embodiment, a program element (for instance a software routine, in source code or in executable code) of detecting an attack to internal signals in a semiconductor device is provided, which program element, when being executed by a processor, is adapted to carry out or control a method having the above mentioned features.
  • Detecting an attack to internal signals in a semiconductor device, which may be performed according to embodiments of the invention, can be realized by a computer program that is by software, or by using one or more special electronic optimization circuits, that is in hardware, or in hybrid form, that is by means of software components and hardware components.
  • As explained above, many semiconductor products contain important data which have to be kept secret, like codes for encryption or identification. Sufficient resistance against all kinds of attacks which aim at retrieval of codes or against uncontrolled change of functionality might need to be implemented. Possible attack scenarios can be grouped in sensing attacks and forcing attacks. Sensing attacks are all trials to get the secret information from a chip (semiconductor device) by measuring certain signals from the chip like current consumption, electromagnetic emission, or voltage probing of signal lines. Forcing attacks try to change the operation conditions and draw conclusions from the resulting behavior of the chip.
  • While an external communication in such chips can be protected by encryption algorithms, internally the data must be processed in "plain" representation. For performance reasons, strong encryption schemes cannot be used for internal data busses and signals. Hence, probing internal signals or forcing false data to these signals is a critical attack scenario for security circuits.
  • Signals of data busses are usually driven by logic drivers, in particular simple or tristate CMOS logic drivers. Such drivers are designed for a well-defined maximum capacitive output load. Probing of the signal status can be done by high resistive voltage measurement, but such a measurement will increase the load capacitance of the driver connected to the probed signal.
  • The present invention is based on the idea to detect probing and forcing attempts and, in a further embodiment, to generate an internal alarm if such an attack is detected. The detection arrangement or detection sensor is able to check the connected capacity and the actual voltage level of signals. This invention describes an arrangement and method to detect such an additional capacitive load. In addition it is also able to detect externally forced signals, also called over-ruling of signals.
  • This detection may be performed by comparing two signals at different stages of the driver. Without any attack (e.g. probing), the two signals have the same value only for a maximum predefined period of time. When there is an attack, the load capacitance of the driver will be increased, which corresponds to a longer period in which the two signals have the same value. Thus, by comparing the signals, an increased capacity may be easily detected and thus also a potential attack may be detected.
  • In the following, further exemplary embodiments of the detection arrangement, the driving unit and the semiconductor device will be explained. However, these embodiments also apply to the detecting method, to the program element and to the computer-readable medium.
  • The comparison unit may comprise a first comparator for receiving and comparing the first and the second signal and a second comparator for receiving and comparing the first and the second signal.
  • The comparators may be logic gates. In particular, the first comparator may be a 2-input NOR gate and the second comparator may be a 2-input AND gate.
  • The first comparator may be adapted to indicate by a first equality signal when the first signal and the second signal are at a first logic value (for instance 0), and wherein the second comparator may be adapted to indicate by a second equality signal when the first signal and the second signal are at a second logic value different to the first logic value (for instance 1).
  • Each comparator may output an equality signal, which depends on the input signals, i.e., the signals at the first stage and the second stage. As each comparator indicates one specific logic value of the first and the second signal, for instance by an output value of logic 1, the output of both comparators (the first comparator for the logic 1 and the second for the logic 0 or vice versa) may be easily used for detecting how long the first and the second signal have the same value, i.e. are both logic 1 or both logic 0. If the first and the second signal are unequal, the output of both comparators may be logic 0. Thus, if one of the equality signals (i.e. the output of the comparators) has a logic 1, the duration of this logic 1 value may be determined and compared with the predefined threshold. Thus, both comparators may indicate a potential attack.
  • The comparison unit may further comprise a third comparator for receiving and combining the first and the second equality signal.
  • The third comparator may combine the both equality signals to one common output. Thus, a potential attack may be indicated by one single signal.
  • An output of the third comparator may correspond to an alarm signal for raising an alarm in case of a potential attack.
  • The output of the third comparator may be used as alarm signal. For instance, when the third comparator is an OR gate, an output signal having a logic 1 indicates a potential attack. Also other kind of comparators may be used.
  • The output of the first comparator may be coupled via a first capacitor to a common line and the output of the second comparator is coupled via a second capacitor to the same common line.
  • To avoid false alarms during normal switching, the equality signals should be ignored if their duration is shorter than the predefined threshold. This can be done by adding (small) capacitors to the outputs of the first and the second comparator and making the outputs asymmetrically, for instance weak p-MOS and relatively strong n-MOS. Using two separate capacitors may allow tuning of the response time of the comparators versus the threshold time for raising and falling edges at the input of the driver separately.
  • The common line may be for instance ground or a common supply line like VCC or VDD.
  • The detection arrangement may further comprise a combining unit being adapted to combine the first and the second equality signal.
  • Another possible implementation would be to combine the two equality signals to one single signal. This single signal may be used as an alarm signal.
  • The detection arrangement may further comprise a filtering unit being adapted to receive the output of the combining unit and to filter short pulses from the received signal.
  • According to this embodiment, short pulses of the equality signals may be filtered so that they will not be considered for the detection of an attack. Short pulses may typically occur due to switching or the like.
  • The driver may be capable to drive signals being associated with data busses and wires connected to latches of the semiconductor device. The latches may be adapted to store secret information.
  • As explained above, latches of the semiconductor device may store secret information like keys. The driver being associated with these latches, or with data busses or wires being connected with the latches, should be protected against attacks or at least it should be possible to detect such attacks and to raise an alarm as described by embodiments of the present invention.
  • The aspects defined above and further aspects of the invention are apparent from the examples of embodiment to be described hereinafter and are explained with reference to these examples of embodiment.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The invention will be described in more detail hereinafter with reference to examples of embodiment but to which the invention is not limited.
    • Fig. 1 illustrates a driving unit according to an exemplary embodiment of the invention.
    • Fig. 2A illustrates a driving unit according to the prior art.
    • Fig. 2B illustrates signals corresponding to the driving unit of Fig. 2A.
    • Fig. 3A illustrates a driving unit according to an exemplary embodiment of the invention.
    • Fig. 3B illustrates signals corresponding to the driving unit of Fig. 3A.
    • Fig. 4A illustrates a driving unit according to an exemplary embodiment of the invention.
    • Fig. 4B illustrates signals corresponding to the driving unit of Fig. 4A.
    DESCRIPTION OF EMBODIMENTS
  • The illustration in the drawing is schematically. In different drawings, similar or identical elements are provided with the same reference signs.
  • Fig. 2A illustrates a standard signal buffer 200. The input signal 104 is inverted twice. A weak inverter 101 which is built (as an example) out of a p-channel MOS transistor 201 and an n-channel MOS transistor 202 is used to drive the input of a strong inverter 102, also built up of two transistors 203 and 204. The strong inverter is able to charge a maximum specified load capacitance 205 in a certain time. Fig. 2B schematically shows the time dependence of the involved signals. When the input "A" (104) changes its logic state, the internal node "A̅" (105) will immediately change to its logical complement value. The output "Z" (106) will toggle to the same logic value as the input (104) but with some delay which depends on the connected capacitance.
  • In order to detect an attack to the signal, in which case the capacitance value of the load capacitance 205 increases, a detection arrangement 103 within a driving unit 100 can be used as described in Fig. 1 .
  • The detection arrangement 103 comprises a first input terminal which is adapted to receive a first signal being indicative for a signal 105 (A̅) at a first stage of the driver (inverting units 101 and 102) of a semiconductor device. The detection arrangement further comprises a second input terminal being adapted to receive a second signal being indicative for a signal 106 (Z) at a second stage of the driver of the semiconductor device. The detection arrangement further comprises comparison unit being adapted to compare the first signal and the second signal and to determine a time period during which the signals are equal. The determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold. An output signal 107 of the detection arrangement can be used as an alarm signal.
  • As shown in the Figures, for a short time the internally inverted signal "A̅" (105) (signal at the first stage) and the output signal "Z" (106) (signal at the second stage) are of the same logic value. The time of equality scales with the connected capacitance. By adding two logic comparators 301, 302 to the circuit as shown in the driving unit 300, 400 of Figs. 3A and 4A the equality can be checked. As shown in Figs. 3B and 4B , a 2-input NOR gate 301 shows a logic 1 when "A̅" (105) and "Z" (106) are both at logic 0, a 2-input AND gate 302 shows a logic 1 when "A̅" (105) and "Z" (108) are both at logic 1. If the output capacitance 205 is less than the specified maximum load capacitance, the duration of the equality signals will be less than a maximum delay time "td".
  • To avoid false alarms during normal switching, the equality signals should be ignored if their duration is shorter than "td". As shown in Fig. 4A, this can be done by adding small capacitors 401, 402 to the outputs of the NOR 301 and AND 302 gates and making the outputs asymmetrically, i.e., weak p-MOS and relatively strong n-MOS. An additional OR gate 403 can combine both equality signals to one common "alarm" or "failure" output "F" (404). Using two separate capacitors may allow tuning the response time versus "td" for raising and falling edges at input "A" separately. Another possible implementation would be to combine the two equality signals to one single signal and add to the filtering of short expected pulses only once.
  • An additional advantage of the detection arrangement may be that it may also sense over-ruling attacks, where the output "Z" of the driver is forced to its inverted logic value. In this case "A̅" (105) and the output signal "Z" (106) are even longer at same logical value and the failure output "F" (404) may raise an alarm.
  • The circuit can be layouted in a way that it looks very similar as normal logic gates. The only analog-like part of the schematic is to filter the normal short-time peaks, i.e. the capacitors 401, 402 and weak p-channel MOS transistors in the NOR and AND gates 301, 302. The capacitors can be layouted like normal transistors, a weak p-channel transistor can be realized by a chain of normally sized transistors. This way the layout cannot be recognized as a special security circuit in the logic area of the chip by optical inspection.
  • It should be noted that the term "comprising" does not exclude other elements or features and the "a" or "an" does not exclude a plurality. Also elements described in association with different embodiments may be combined.
  • It should also be noted that reference signs in the claims shall not be construed as limiting the scope of the claims.

Claims (13)

  1. A detection arrangement for detecting an attack to internal signals in a semiconductor device, the detection arrangement comprising
    a first input terminal,
    a second input terminal, and
    a comparison unit,
    wherein the first input terminal is adapted to receive a first signal being indicative for a signal at a first stage of a driver of the semiconductor device, the driver being capable to drive signals internally to the semiconductor device,
    wherein the second input terminal is adapted to receive a second signal being indicative for a signal at a second stage of the driver of the semiconductor device, and
    wherein the comparison unit is adapted to compare the first signal and the second signal and to determine a time period during which the signals are equal,
    wherein the determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold.
  2. The detection arrangement according to claim 1,
    wherein the comparison unit comprises a first comparator for receiving and comparing the first and the second signal and a second comparator for receiving and comparing the first and the second signal.
  3. The detection arrangement according to claim 2,
    wherein the first comparator is adapted to indicate by a first equality signal when the first signal and the second signal are at a first logic value, and wherein the second comparator is adapted to indicate by a second equality signal when the first signal and the second signal are at a second logic value different to the first logic value.
  4. The detection arrangement according to claim 3,
    wherein the comparison unit further comprises a third comparator for receiving and combining the first and the second equality signal.
  5. The detection arrangement according to claim 4,
    wherein an output of the third comparator corresponds to an alarm signal for raising an alarm in case of a potential attack.
  6. The detection arrangement according to claim 2,
    wherein the output of the first comparator is coupled via a first capacitor to a common line and the output of the second comparator is coupled via a second capacitor to the same common line.
  7. The detection arrangement according to claim 3,
    further comprising a combining unit being adapted to combine the first and the second equality signal.
  8. The detection arrangement according to claim 7,
    further comprising a filtering unit being adapted to receive the output of the combining unit and to filter short pulses from the received signal.
  9. A driving unit for driving signals of data busses internally to a semiconductor device, the driving unit comprising
    a driver having a first stage corresponding to an internal node between a first inverting unit of the driver and a second inverting unit of the driver and a second stage corresponding to an output node of the driver, and
    a detection arrangement according to claim 1,
    wherein the first stage and the second stage are connected to the detection arrangement.
  10. The driving unit according to claim 9,
    wherein the driver is capable to drive signals being associated with data busses and wires connected to latches of the semiconductor device.
  11. A semiconductor device, the semiconductor device comprising a driving unit according to claim 9,
    wherein the driving unit is capable to drive signals internally to the semiconductor device, in particular signals being associated with data busses and wires connected to latches of the semiconductor device.
  12. The semiconductor device according to claim 1,
    wherein the latches are adapted to store secret information.
  13. Method of detecting an attack to internal signals in a semiconductor device, the method comprising
    receiving, by a first input terminal of a detection arrangement, a first signal being indicative for a signal at a first stage of a driver of the semiconductor device, the driver being capable to drive signals internally to the semiconductor device,
    receiving, by a second input terminal of the detection arrangement, a second signal being indicative for a signal at a second stage of the driver of the semiconductor device,
    comparing, by a comparison unit, the first signal and the second signal and determining a time period during which the signals are equal,
    wherein the determined time period is indicative for a potential attack, if the determined time period is above a predefined threshold.
EP12182221.7A 2012-08-29 2012-08-29 Detection arrangement Active EP2704063B1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP12182221.7A EP2704063B1 (en) 2012-08-29 2012-08-29 Detection arrangement
CN201310302715.8A CN103679010B (en) 2012-08-29 2013-07-18 Detection device
US14/010,145 US9471792B2 (en) 2012-08-29 2013-08-26 Detection arrangement

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
EP12182221.7A EP2704063B1 (en) 2012-08-29 2012-08-29 Detection arrangement

Publications (2)

Publication Number Publication Date
EP2704063A1 true EP2704063A1 (en) 2014-03-05
EP2704063B1 EP2704063B1 (en) 2015-07-15

Family

ID=47115237

Family Applications (1)

Application Number Title Priority Date Filing Date
EP12182221.7A Active EP2704063B1 (en) 2012-08-29 2012-08-29 Detection arrangement

Country Status (3)

Country Link
US (1) US9471792B2 (en)
EP (1) EP2704063B1 (en)
CN (1) CN103679010B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9523736B2 (en) * 2014-06-19 2016-12-20 Nuvoton Technology Corporation Detection of fault injection attacks using high-fanout networks
WO2016169816A1 (en) * 2015-04-21 2016-10-27 Philips Lighting Holding B.V. Identifying a temperature anomaly
US10372587B1 (en) * 2015-11-09 2019-08-06 The United States Of America As Represented By Secretary Of The Navy Electronic device monitoring using induced electromagnetic emissions from software stress techniques
CN107942154A (en) * 2017-10-16 2018-04-20 北京中电华大电子设计有限责任公司 A kind of protection structures and methods suitable for the protection of chip EMP attack N

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1582963A1 (en) * 2004-03-31 2005-10-05 St Microelectronics S.A. Apparatus for detection of attacks on a circuit chip

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2002357606A1 (en) 2001-12-20 2003-07-09 Matsushita Electric Industrial Co., Ltd. Potential generating circuit, potential generating apparatus, semiconductor device using the same, and driving method thereof
US8054099B2 (en) * 2009-07-29 2011-11-08 The Boeing Company Method and apparatus for reducing radiation and cross-talk induced data errors

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1582963A1 (en) * 2004-03-31 2005-10-05 St Microelectronics S.A. Apparatus for detection of attacks on a circuit chip

Also Published As

Publication number Publication date
EP2704063B1 (en) 2015-07-15
CN103679010B (en) 2016-10-05
CN103679010A (en) 2014-03-26
US9471792B2 (en) 2016-10-18
US20140068762A1 (en) 2014-03-06

Similar Documents

Publication Publication Date Title
JP4122257B2 (en) Integrated circuit chip voltage glitch detection circuit, smart card voltage glitch detection circuit, and integrated circuit device protection method
US7859421B2 (en) Circuit and method for detecting a voltage change
US10677839B2 (en) Circuit and method for detecting a fault attack
US9471792B2 (en) Detection arrangement
CN110647063B (en) Microcontroller and EFT event protection method
JP5581147B2 (en) Monitoring the operation of electronic circuits
US20180091149A1 (en) Circuit and method for checking the integrity of a control signal
US8104690B2 (en) Smart card system and operating method thereof
US20150380397A1 (en) ESD Protection for Advanced CMOS Processes
US7363190B2 (en) Sensor control circuit
KR100873243B1 (en) Thermal protection for a vlsi chip through reduced c4 usage
US20200285780A1 (en) Cross domain voltage glitch detection circuit for enhancing chip security
Yanci et al. Detecting voltage glitch attacks on secure devices
US20050044403A1 (en) Detection circuit for a smart card
US8976608B2 (en) Semiconductor integrated circuit device
US20190271728A1 (en) Device and method for detecting a number of electrostatic discharges
JP4440214B2 (en) Semiconductor device
US7501836B2 (en) Apparatus and method for determining capacitance variation in an integrated circuit
US7504865B2 (en) Frequency sensor and semiconductor device
US20080012574A1 (en) Qualifying of a detector of noise peaks in the supply of an integrated circuit
US10063225B1 (en) Voltage switching device and method
US7602195B2 (en) Single pin multi-state identifier using RC timing element
JP2008211708A (en) Signal line monitoring circuit, protection method and electronic device using the same
US8384414B2 (en) Implementing hacking detection and block function at indeterminate times with priorities and limits
US10305470B1 (en) Circuit for recovering from power loss and electronic device using the same circuit and method thereof

Legal Events

Date Code Title Description
17P Request for examination filed

Effective date: 20131031

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

17Q First examination report despatched

Effective date: 20141128

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

INTG Intention to grant announced

Effective date: 20150304

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 4

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 737135

Country of ref document: AT

Kind code of ref document: T

Effective date: 20150815

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602012008747

Country of ref document: DE

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 737135

Country of ref document: AT

Kind code of ref document: T

Effective date: 20150715

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20150715

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG4D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20151016

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20151015

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20151116

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602012008747

Country of ref document: DE

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20150831

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20150831

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

REG Reference to a national code

Ref country code: IE

Ref legal event code: MM4A

26N No opposition filed

Effective date: 20160418

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 5

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20150829

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20120829

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 6

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20150831

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20150829

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

Ref country code: TR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

REG Reference to a national code

Ref country code: FR

Ref legal event code: PLFP

Year of fee payment: 7

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20150715

P01 Opt-out of the competence of the unified patent court (upc) registered

Effective date: 20230725

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: GB

Payment date: 20230720

Year of fee payment: 12

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: FR

Payment date: 20230720

Year of fee payment: 12

Ref country code: DE

Payment date: 20230720

Year of fee payment: 12